RSAM User Guides
RSAM is the the governance, risk and compliance (GRC) platform that we are using to manage, organize and analyze data associated with Risk Management and Compliance for systems at Columbia University and Columbia University Irving Medical Center (CUIMC). The use of RSAM allows for automation and continuous risk monitoring of critical information assets and systems. As a stakeholder in a system being assessed by the Risk Management Program, you are required to register your system in RSAM, and to answer the System Questionnaire if it has been determined to be in-scope for a deeper assessment.
On this page
- RSAM System Registration Guide
- RSAM System Assessment Guide
- How to share registration with other stakeholders
- How to access, answer and edit registration as a stakeholder
RSAM System Registration Guide
System Registration is the first step in getting your University System assessed by the Information Security Risk Management Program. During System Registration you will answer certain overall questions about your system, it's setup, it's intended purpose, and the data that it contains. The completed registration questionnaire is reviewed by a risk analyst who will determine if risk assessment needs to be performed for the registered system/application. If a system qualifies for risk assessment, then the system owner and IT custodian will be notified to complete the baseline risk assessment questionnaire.
Navigate to https://rsam.cumc.columbia.edu and log in with your UNI and password. You must be on the Columbia network or connected via VPN to access the site.
Welcome to the RSAM Home Screen.
You can get back here at any time by clicking on Home in the Upper left hand corner, and then on the "0.0 Home" Tab.
To register a system, click on the Create new System Registration link. Do not click on the document icon next to it, which leads to an instructional pop-up window.
Read the informational text to familiarize yourself with the process.
Type in the name of the system you want to register under CU System Registration Name.
Click on Organization: Business Unit and select the appropriate business unit for the system.
Click on Create CU System Registration.
In the Attributes section, please fill out the information about the system itself, independent of the data it stores, in order to describe how the system functions.
The first page asks you to provide a brief overview of the system, including, but not limited to:
- The stated purpose of the system, what function is it meant to address
- Its current status
- When it was first put into production
- How many users it has
- How many records it holds
Click on Next Unanswered button
When you finish each page of questions, click on the Next Unanswered button on the top of the page to move onto the next question. You can also navigate to the other questions by using the other buttons appropriately.
System Stakeholders
In this section you indicate who your System Owner, IT Custodian, and Other Custodian(s) for this system are.These are people who own, manage, and/or have relevant technical knowledge of the system in question. Please refer to the Definitions of Stakeholders page for more information on what these roles entail.
Once a person is identified as a stakeholder, they can also answer or edit the registration on their own. This is useful if you don’t know all the answers yourself. You can ask fellow stakeholders to log in and answer questions related to their expertise.
Please refer to Sharing Worksheets with Other Stakeholders for instructions on how other stakeholders can access, answer, or edit existing registration worksheets.
To choose the appropriate persons for each field:
Click on the magnifying glass icon to open the System Owner Dialog Box.
Click Add.
Type in the UNI or name of the person you are searching for and select eMail if you are searching by UNI, or Name if you are searching by name.
Click on Validate. If the validation went through, then the person's full name should appear, with their UNI in parentheses. If it did not, modify your search text and try again.
Click OK. You will return to the System Owner Dialog Box. Click on Add to add another owner or OK to complete this assignment.
IT Implementation
In this section, you will be asked information about how your system is implemented. This includes questions about it's physical location, the software running on it, and its IP addresses.
While this guide will not cover every question on this page, some fields of note are:
Server IP Address
Click on the Magnifying Glass to open the Server IP Addresses dialog box.
When you find your IP(s), click the check box on the left hand column. When you are done, click Update on the lower right hand corner. (If your server's IP is not in the table, close the dialog by clicking Cancel and leave the entry blank.)
Additional IT Implementation Information
In this field, please describe your system architecture to the best of your ability. This should include how data travels between users, the interaction of any subsystems or components, and a general understanding how the system functions.
Please also list the following stats for your system:
- If you left the “Server IP Addresses” question blank, please also provide the proper IP here.
- Operating system
- Webserver software
- Any relational databases used by the system
Third-party IT Services
If your system uses any third-party services to function, or were used in development of this system, please fill out this section.
Data Flow and System Information
If your system exchanges information with any other systems, please fill out this section.
Risk Assessment Administration and WIP
These sections are for CU/CUIMC Infosec Staff only. Do not fill out any fields on these pages.
The Criticality section includes questions about the type of data the system processes and stores, the purpose of the data, how many users it affects, and questions about its security. These are used to determine the risk of your system.
Business Function
Check off any and all functions that the system fulfills.
Click Next Unanswered when done.
Information Classification
Check off all the types of information that the system transmits, processes or maintains in any form.
Click Next Unanswered when done.
Health Information
Indicate if the system stores, processes, or transmits any of the indicated personal health information (PHI).
Click Next Unanswered when done.
Individual Identifiers
Check off the options that describe the identifiers collected by this system about a patient or research subject.
Click Next Unanswered when done.
Identified Individuals
Check off the one option that best describes the number of individuals with uniquely identifiable records stored in this system.
Click Next Unanswered when done.
Number of Users
Check off the one option that best describes the number of users that access this system on a daily basis.
Click Next Unanswered when done.
Internet
Check off whether the system is accessible from the Internet.
Click Next Unanswered when done.
Audience
Check off which groups of people are the intended users of the system.
Click Next Unanswered when done.
CAS or WIND Authentication
Indicate whether your system authenticates users using the Columbia University Network ID (UNI), and if so, if it is done through our WIND system.
Click Next Unanswered when done.
Availability
Indicate how long the system can be offline before it is intolerable to its userbase.
Click Next Unanswered when done.
If you completed all questions and are ready to submit the registration, click on Save & Submit System Registration To InfoSec. If you were unable to complete all questions, and wish to come back and fill out the rest later, click on Save.
CUIT or CUIMC Security will analyze your responses and be in touch with you if there are any more questions, or if your system is in scope for further assessment.
If your system is selected, you will be notified that there are additional questions you will be required to answer about your system. Please refer to the appropriate section in Additional Information for RSAM System Registration for instructions on how to begin your assessment.
RSAM System Assessment Guide
Once your registration is submitted to Information Security, an Infosec analyst will look over your answers, along with other relevant data, and decide if your system is in-scope for a deeper risk assessment.
If your system is selected, you will be notified that there are additional questions you will be required to answer about your system, which are described below.
Navigate to https://rsam.cumc.columbia.edu and log in with your UNI and password.
Select Home on the upper toolbar, followed by the Home tab on lower toolbar. On the middle of the page, you will see a list of roles:
- If you are the original registrant of the system you are going to be working on, click System Self-Registration.
- If you are another stakeholder (System Owner, IT Custodian), click on System Stakeholder.
You will then see the My Assessments screen. Select the relevant assessment by clicking the Open link in the Action column.
The Assessment Questionnaire will open on the first page of the original registration. To begin answering the new questions, click on Next Unanswered Question on the navigation bar on the left hand side.
When you are ready to save or submit your assessment questionnaire, click on the Go to End button on the left-hand pane (third button from the top).
If you completed all questions and are ready to submit the registration, click on Save & Submit System Registration To InfoSec. This will lock the questionaire and send it to a Risk Analyst for review.
If you were unable to complete all questions, and wish to come back and fill out the rest later, click on Save. This will leave the questionnaire unlocked, allowing you or other stakeholders to return to add or amend your answers.
How to share registration with other stakeholders
The first page of the worksheet (the registration) asks you to identify “System Owner”, “I.T. Custodian”, and “Other Custodian(s)” for the registered system. These are stakeholders that own, manage, and/or have relevant technical knowledge of the system in question. More detailed definitions can be found in Stakeholder Definitions.
Once a person is identified as a stakeholder, they can also answer or edit the registration on their own. This is useful if you don’t know all the answers yourself. You can ask fellow stakeholders to log in and answer questions related to their expertise.
First, click on the magnifying glass icon next to the field corresponding to their defined role: “System Owner”, “I.T. Custodian”, and “Other Custodian(s)”
The System Owner dialog box will open. Click the Add button and type in the UNI (not including @columbia.edu) or name of the person you would like to include.
Note: Select the eMail checkbox if you are searching by UNI, or Name if you are searching by name.
Click on Validate. If the validation went though, then the person's full name should appear, with their UNI in parentheses, for example John Doe(jd001).
If the validation did not go through, please modify your search text and try again.
When you are done adding the stakeholder, click OK. You will return to the System Owner dialog box. Here, you can click Add if you would like to include another stakeholder, or you can click OK to finish.
How to access, answer and edit registration as a stakeholder
Navigate to https://rsam.cumc.columbia.edu and log in with your UNI and password.
Select Home on the upper toolbar, followed by the Home tab on lower toolbar. On the middle of the page, you will see a list of roles:
- If you are the original registrant of the system you are going to be working on, click System Self-Registration.
- If you are another stakeholder (System Owner, IT Custodian), click on System Stakeholder.
You will then see the My Assessments screen. Select the relevant assessment by clicking the Open link in the Action column.
The Assessment Questionnaire will open on the first page of the original registration. Use the navigation pane on the left hand side to navigate to the question you wish you answer.
To skip to the first unanswered question, you can click on Next Unanswered Question on the navigation bar on the left hand side.
To navigate by question type or question text, click on the pull-down menu at the top of the navigation pane.
When you are ready to save or submit your assessment questionnaire, click on the Go to End button on the left-hand pane (third button from the top).
If you completed all questions and are ready to submit the registration, click on Save & Submit System Registration To InfoSec. This will lock the questionaire and send it to a Risk Analyst for review.
If you were unable to complete all questions, and wish to come back and fill out the rest later, click on Save. This will leave the questionnaire unlocked, allowing you or other stakeholders to return to add or amend your answers.